Wearable devices require a lot of trust.
And
besides being in the minds of consumers, trust is something that has to occur between and among connected devices.
In a wide-ranging report on security design flaws in wearable fitness
trackers, the highly regarded IEEE Computer Society detailed some of the trust factors.
The organization identified what it terms the top 10 software security design flaws and created a
fictitious wearable tracking system to illustrate the flaws.
What struck me in the report are the issues around trust.
In the recommendations for securing fitness trackers, the first
rule is to “earn or give, but never assume, trust.”
In its wearable device, a pairing process would be used to establish trust with the application running on a mobile device. Once
the consumer confirms a match, each device stores the other device’s identity. From that point on, the devices have a trust relationship with each other.
The issue of trust also extends
to partners that interface with wearable systems, such as advertisers or ad platforms.
Trust is inherently time-sensitive and can be revoked. “It’s unsafe, generally, to assume
that just because trust existed at some point in time it continues to exist over time,” states the report.
Trust between the wearable and the mobile app are only reset when the user
changes their authentication credentials.
And trust is only one component of a secure fitness tracker.
The report recommends that systems never process control instructions received
from untrusted sources and to keep data and control instructions totally separate.
The design flaws and recommendations in the IEEE report are intended for those involved in creating and
participating in the wearable fitness tracking ecosystem.
Even if all of them are followed, marketers still will have to convince consumers that the new device on their wrist is not sharing
data with anyone not authorized to get it.
And that may be the biggest trust challenge of all.